In certain environments, a user of a computing device accesses two or more multiply-distrusting applications. For instance, the user may access multiple applications running on an operating system that implements secure application isolation, multiple applications from different web sites separated by isolation mechanisms implemented by a web browser, multiple applications contained in virtual machines, and the like. In these instances, the applications and their data are strictly isolated from one another to increase the difficulty for one application to violate the privacy or confidentiality of the data in another application. This contrasts with weakly- or non-isolated multiple-application environments, such as traditional operating-system environments. Here, each application, by default, has access to most data of the user and, therefore, operates on a trust assumption that the application will only access or manipulate data when a user requests the application to do so. This assumption places great trust in developers of applications that operate within the traditional operating-system environment.
Meanwhile, when operating in an environment that isolates applications from one another, the user may desire to allow specific, controlled interactions between the isolated applications. Many such mechanisms are possible. For example, the user could establish a shared document store to which both applications have access, saving data into the store from the first application and opening it in the second. However, such techniques may prove burdensome to the user. For instance, this interaction involves effort to behalf of the user to set up and use the shared document store, making a simple interaction tedious relative to the default sharing policy of the conventional desktop paradigm. Further, these techniques introduce subtle security concerns. For instance, if an interaction channel, such as the shared folder, persists for a length of time, future data may leak unintentionally through this folder. For example, the user may save accidentally a more private file into the shared folder, leaking this file to the second application and, thus, violating confidentiality. Or, a malicious application with persistent access to the folder may subtly modify or alter a file at an arbitrary point in the future, compromising the integrity of the file.
Another mechanism to allow for interactions between otherwise isolated applications is to query the user each time an application attempts to communicate with another application. For instance, the techniques may present the user with a pop-up dialog box that asks the user to confirm that the user wishes to allow the requested communication. However, this places a burden on the user, and can sufficiently numb the user such that the user becomes habituated to clicking through such confirmation queries without thinking sufficiently about the implication of such selections. Such a scenario compromises security within the otherwise secure application-isolation environment.